You’ve gone ahead and issued a certificate with a SAN entry of the Delivery Controller’s FQDN and binded it to the Delivery Controller’s IIS bindings:

You’ve also confirmed that you have updated your StoreFront’s URL to HTTPS instead of HTTP in Citrix Studio for your Delivery Controller configuration:

You’ve verified the port mappings by launching the command prompt, navigating to the directory:

C:\Program Files\Citrix\Broker\Service

… and executing:

brokerservice /show

SDK Port: 80VDA Port: 80WI Port: 80WI SSL Port: 443Log File:

With all the configuration and checks above completed, you proceed to restart your servers and test logging into via your NetScaler but quickly receive the following message upon successfully logging in:

Log Name: Citrix Delivery ServicesSource: Citrix Store ServiceEventID: 0Level: ErrorMessage: An SSL connection could not be established: None of the SSL cipher suites offered TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA were accepted by the server.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Note that Event ID 0 is logged first and Event ID 4003 is followed.

Solution

This issue threw me off quite a bit because my colleague had just gone through a XenDesktop 7.5 training course and when I review his lab guide demonstrating how to configure this, I was sure I haven’t missed any steps but while his lab environment was displaying applications after login, my environment did not. I was pretty close to trying the solution Adam Paul Shattuck posted on a forum:

… where he did not have IIS installed on the Delivery Controller so used the netsh command to bind the SSH certificate to the Broker service with its GUID. My environment had IIS so I decided to search for the EventID 0 error since that was logged first and that was when I came across this blog post by Mark Brilman:

He had ran into an issue where his StoreFront server was logging the event ID 0 message:

An SSL connection could not be established: None of the SSL cipher suites offered TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA were accepted by the server.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

… and the way he fixed it was applying a GPO to his delivery controller enable a setting named SSL Cipher Suite Order. The environment I was working on only had one delivery controller so instead of using a GPO, I launched gpedit.msc and enabled the setting as such:

… but checking the setting showed that it was enabled so I closed the box and ran gpupdate /force tested again but still got the same error. Since Mark recommended to restart the server, I went ahead and restarted the server, tested again and noticed that the problem went away. All applications were displayed properly and could be launched by clicking on them.

Tuesday, October 28, 2014

There has been plenty of times in the past where I used to dread reviewing the Programs and Features’ View installed updates window in search for a hotfix that I need to remove:

This is especially the case with older operating systems when a seemingly endless list of hotfix updates have been installed and scrolling through the list isn’t exactly a pleasant experience:

I’ve also been asked in the past to perform an audit for incidents where a server wasn’t supposed to be patched was patched and the manager wanted to know how installed them. As some may know, right clicking on the column headings gives you additional fields that you can choose to add but it does not provide a column to list what account installed them:

With the challenges mentioned above in mind, the PowerShell cmdlet I’ve enjoyed using over the past year to manage Windows hotfix updates is the:

This cmdlet will simply list out all of the hotfixes along with the following headings:

Source

Description

HotFixID

InstalledBy

InstalledOn

Definitely one of the cmdlets I’ve used most when trying to get an idea as to what updates have been installed onto a server because I can dump this to a file with the > and do a quick search in Notepad.

If you would like the searches to be ordered by a certain column you can simply add the following to the end of the cmdlet:

Get-HotFix | Sort-Object Description

Note that the list is not sorted by the Description column. You can use the -descending switch as such to reverse the order in descending order:

Get-HotFix | Sort-Object Description -descending

You can also use multiple columns to sort the list:

Get-HotFix | Sort-Object Description,HotFixID

You can also execute this command (PowerShell Remoting does not need to be turned on) to list a remote server’s list of hotfixes with:

Get-HotFix -ComputerName <ComputerName>

If you’re looking for a specific hotfix, you can also use the Where command to find a match such as the following:

Get-HotFix | Where HotfixID -match "2995004"

A command I use quite frequently when trying to remove hotfixes is the wusa.exe command with the following format:

wusa.exe /uninstall /kb:<KB Number>

Additional switches such as the /quiet and /norestart are also commonly used.

Saturday, October 25, 2014

You have a new server installed with Windows Server 2012 R2 and need to install .NET Framework 4.5 with other roles and features so you mount the Windows Server 2012 R2 media, launch Windows PowerShell then execute the following cmdlet:

This issue actually got me scratching my head for quite a bit of time because the error appeared to suggest that there was something wrong with the source files. Executing this cmdlet or using the Add Roles and Features Wizard did not allow me to successfully install the components I needed for a Lync Server 2013 install I was doing and copying the source files from the Windows Server 2012 R2 media directly onto the server did not work either. A bit of searching on the suggested to try getting the install.wimIndex number with a cmdlet such as:

dism /get-wiminfo /wimfile:d:\sources\install.wim

… then pipe in the Windows Server 2012 R2 version into the Add-WindowsFeature cmdlet:

WARNING: You must restart this server to finish the installation process.

WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is

automatically updated, turn on Windows Update.

PS D:\sources\sxs>

I haven’t actually encountered the issue on a Windows Server 2012 R1 server but the following TechNet blog indicates that Security Update For Microsoft Windows 2966827 can cause the same issue as well.

Thursday, October 23, 2014

You’ve just completed deploying Lync Server 2013 on a Windows Server 2012 R2 server but notice that the Lync Server Management Shell does not load and hangs with a black screen regardless of whether you run it as an administrator or not:

Solution

This only appears to affect Windows Server 2012 R2 deployments as the application shortcut appears to be created with a missing quote:

Wednesday, October 22, 2014

I recently had to troubleshoot an issue for a client where their log drive filled up and wanted to identify whether there was a device that was generating excessive logs on the Exchange server or whether they genuinely received that much mail between the last backup and the time when the drive filled up. To determine whether the Exchange Organization did indeed receive enough mail to fill up the log drive, I directed my attention to the Tracking Log Explorer.For those who are familiar with the Exchange Server 2010’s Tracking Log Explorer feature located in Microsoft Exchange –> Microsoft Exchange On-Premises –> Toolbox –> Tracking Log Explorer:

… would probably have come across this situation where you would like to export the returned table results:

… but noticed that there does not appear to be a way to do so via the GUI:

The GUI does not provide a way to export these logs to a text or CSV file and therefore there wasn’t a way for me easily add up the TotalBytes column to get an idea as to how much mail was send and received:

I recall asking a Microsoft support engineer years ago about this for Exchange 2007 and the answer was that there was no way but seeing how it has been such a long time, I went ahead and did a quick Google search which returned this Exchange Team Blog post:

This was exactly what I wanted because I could sum TotalBytes column but the command was a screenshot which meant I had to type it out. It was a bit annoying to have to type all that out when I was in a rush to get the results to the client at 1a.m. in the morning so to avoid having to do this again in the future, I’m going to paste the command here for reference if I ever needed it again:

… how can the HTTP traffic between the NetScaler and StoreFront be secured since the NetScaler effectively authenticates with the StoreFront server(s) and the StoreFront server makes a callback to the NetScaler during the process. The answer is simple and that is to use HTTPS instead. Not all of the customers I work with use HTTPS because their justification is that their server VLANs are secured but I usually recommend to use HTTPS when possible. To do so, a certificate will be required for the URL that the NetScaler will be using to reach the StoreFront servers. Before I begin with demonstrating the configuration, I would like to note the following points:

Do not use the same URL that you are using for users on the internet or internal VLAN to access the NetScaler for the StoreFront servers(s). This means that if you’re using https://citrix.domain.com for your NetScaler’s VIP, do not use https://citrix.domain.com for your StoreFront servers because Citrix does not support this.

Make sure that the CallBack URL that you configure on your StoreFront’s NetScaler Gateway configuration matches the name you are using for your NetScaler VIP. Any changes to the URL will not work:

Step #1 – Bind SSL Certificate to StoreFront’s IIS Server

Begin by binding an SSL certificate to the StoreFront’s IIS server. This can be done either by generating a SSL certificate CSR request, sending it to a public CA and completing the certificate request so the server has the private key or simply exporting a certificate from a source as a PFX and importing it onto the StoreFront server’s Local Computer store. The certificate used in this example will be exported from the NetScaler appliance because it is a wildcard certificate.

Note that the Web Interface Address URL currently configured on the NetScaler points to http://storefront.ad.domain.com because the communication between the NetScaler and StoreFront currently uses HTTP:

With the certificate imported into the Local Computer store, launch the Internet Information (IIS) Manage, navigate to ServerName –> Sites –> Default Web Site, then click on Bindings… under Edit Site:

Click on the Add… button in the Site Bindings:

Change the Type from http to https:

Click on the Close button after the new https binding has been added:

There isn’t a need to perform a iisreset but you are free to do so if you like:

With the new https binding created, you should now be able to browse the StoreFront website via https:

Step #2 – Update Session Profile on NetScaler to use https URL

Now that the StoreFront server can respond to https requests, proceed with modifying the Session Profile on the NetScaler

Update the http URL to https:

Step #3 – Recreate Virtual Server with https

You cannot actually change a Virtual Servers configured Protocol from HTTP to HTTPS as shown here:

Which basically means that you’ll have to delete and recreate the Virtual Server if you already have on created as is the case in this example. Create a new LB Virtual Server with the Add button:

Fill in the required fields and change the Protocol to SSL:

You will immediately notice that the Load Balancing Virtual Server’s State is listed as being down and this is because a new service will need to create a new Service to add it to this Load Balancing Virtual Server. The reason why we performed this step first is because we would not be able to delete the existing HTTP service before deleting the existing HTTP Virtual Server since it is binded to a Virtual Server. Now that we’ve deleted and recreated the Load Balancing Virtual Server, we can now remove the old HTTP service.

Step #4 – Recreate Virtual Server Service

Navigate to Traffic Management –> Load Balancing –> Services:

Since you can’t have two Services binded to the same IP where one is HTTP and another is SSL, we will delete the existing one and then create the SSL service:

The new Load Balancing SSL service should immediately have its State as being Up:

Navigate to the Virtual Servers and open the Load Balancing Virtual Server for the StoreFront:

Open the Service option:

Bind the SSL service that was created earlier:

Note that even with the service added, the service would still be labeled as being down because there is no certificate added:

Step #5 – Bind SSL Certificate to Load Balancing Server

The certificate that needs to be attached to this Load Balancing server is the same certificate that is used on the StoreFront servers and since we’re using the same wildcard certificate as we’re using for the NetScaler VIP and the StoreFront HTTPS binding, the certificate should already be on the NetScaler. Proceed by clicking opening the Load Balancing Virtual Server and clicking on the SSL Certificate configuration:

Click on No Server Certificate:

Click on the Bind button:

Bind the certificate that will be used for the StoreFront servers:

Save the configuration:

Next, click on the Persistence configuration:

Change the Persistence configuration to SOURCEIP:

Click on the Done button to exit the configuration:

Notice that the Virtual Server State is now Up:

Step #6 – StoreFront Monitoring

For better StoreFront monitoring, it is best to create a service specific monitor that the NetScaler provides and the reason why I leave it as the last item to configure on the NetScaler is because a slight misconfiguration can cause the monitor to report the StoreFront as being down so to avoid situations where I might be confused whether I published the site correctly or not, I’d like to complete all of the configuration leading to the Load Balancing Virtual Server with an Up State before I configure the monitoring.